Vulnerability Details : CVE-2023-5421
An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs
immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before.
This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.
Vulnerability category: Cross site scripting (XSS)Input validation
Products affected by CVE-2023-5421
Exploit prediction scoring system (EPSS) score for CVE-2023-5421
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 22 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-5421
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST | |
3.5
|
LOW | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N |
0.9
|
2.5
|
OTRS AG |
CWE ids for CVE-2023-5421
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security@otrs.com (Secondary)
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-5421
-
https://otrs.com/release-notes/otrs-security-advisory-2023-09/
OTRS Security Advisory 2023-09 | OTRSVendor Advisory
Jump to